Skip to content

Commit

Permalink
Production deployment (#267)
Browse files Browse the repository at this point in the history 
**Only merge using a merge commit!**
  • Loading branch information
@github-actions
github-actions[bot] authored Feb 12, 2024
2 parents c6d8a4a + 60f9d6c commit 1c0d14d
Show file tree
Hide file tree
Showing 17 changed files with 143 additions and 16 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/terraform-plan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ jobs:
working-directory: terraform
id: plan
continue-on-error: true
env:
TF_VAR_cloudflare_api_token: ${{ secrets.TF_VAR_CLOUDFLARE_API_TOKEN }}
TF_VAR_api_subdomain: sinister-api-test

- uses: actions/github-script@v7.0.1
if: github.event_name == 'pull_request'
Expand Down
8 changes: 4 additions & 4 deletions app/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion app/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
"eslint": "8.56.0",
"eslint-config-next": "14.1.0",
"postcss": "8.4.33",
"prettier": "3.2.4",
"prettier": "3.2.5",
"prettier-plugin-organize-imports": "3.2.4",
"prettier-plugin-tailwindcss": "0.5.11",
"prisma": "5.9.1",
Expand Down
2 changes: 1 addition & 1 deletion bruno-collection/Email function/Invalida request (API Gateway should reject).bru
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ meta {
}

post {
url: {{emailFunctionEndpoint}}
url: {{emailFunctionEndpointCustomDomain}}
body: json
auth: none
}
Expand Down
2 changes: 1 addition & 1 deletion bruno-collection/Email function/Invalida request (Lambda should reject).bru
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ meta {
}

post {
url: {{emailFunctionEndpoint}}
url: {{emailFunctionEndpointCustomDomain}}
body: json
auth: none
}
Expand Down
2 changes: 1 addition & 1 deletion bruno-collection/Email function/Valid request (encrypted).bru
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ meta {
}

post {
url: {{emailFunctionEndpoint}}
url: {{emailFunctionEndpointCustomDomain}}
body: json
auth: none
}
Expand Down
4 changes: 2 additions & 2 deletions bruno-collection/Email function/Valid request.bru
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ meta {
}

post {
url: {{emailFunctionEndpoint}}
url: {{emailFunctionEndpointCustomDomain}}
body: json
auth: none
}

body:json {
{
"requestId": "clshdsp3g000108ilcpxqdh1k",
"requestId": "clshpwtnz000008l6dnuygw8r",
"to": "hallo@simonknittel.de",
"template": "emailConfirmation",
"templateProps": {
Expand Down
2 changes: 1 addition & 1 deletion bruno-collection/environments/localhost.bru
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
vars {
emailFunctionEndpoint: https://xguhlotnsl.execute-api.eu-central-1.amazonaws.com/default/email-function
emailFunctionEndpointInvokeUrl: https://xguhlotnsl.execute-api.eu-central-1.amazonaws.com/default/email-function
appBaseUrl: http://localhost:3000
}
vars:secret [
Expand Down
3 changes: 2 additions & 1 deletion bruno-collection/environments/test.bru
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
vars {
emailFunctionEndpoint: https://xguhlotnsl.execute-api.eu-central-1.amazonaws.com/default/email-function
emailFunctionEndpointInvokeUrl: https://xguhlotnsl.execute-api.eu-central-1.amazonaws.com/default/email-function
appBaseUrl: https://sinister-incorporated-git-develop-simonknittel.vercel.app
emailFunctionEndpointCustomDomain: https://sinister-api-test.simonknittel.de/email-function
}
15 changes: 13 additions & 2 deletions cloudformation/setup.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Resources:
StringEquals:
token.actions.githubusercontent.com:aud: sts.amazonaws.com
StringLike:
# Related: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims
token.actions.githubusercontent.com:sub:
- repo:simonknittel/sinister-incorporated:job_workflow_ref:simonknittel/sinister-incorporated/.github/workflows/terraform-plan.yml@refs/pull/*
- repo:simonknittel/sinister-incorporated:job_workflow_ref:simonknittel/sinister-incorporated/.github/workflows/terraform-apply.yml@refs/heads/main
Expand All @@ -64,9 +64,17 @@ Resources:
Version: 2012-10-17
Statement:
- Effect: Allow
# Related: https://github.com/iann0036/iamlive
# https://github.com/iann0036/iamlive
Action:
- acm:DescribeCertificate
- acm:ListCertificates
- acm:GetCertificate
- acm:ListTagsForCertificate
- apigateway:GET
- apigateway:GetBasePathMapping
- apigateway:GetBasePathMappings
- apigateway:GetDomainName
- apigateway:GetDomainNames
- cloudfront:GetCachePolicy
- cloudfront:GetDistribution
- cloudfront:GetOriginAccessControl
Expand Down Expand Up @@ -120,6 +128,9 @@ Resources:
- s3:GetReplicationConfiguration
- s3:ListBucket
- schemas:DescribeDiscoverer
- schemas:ListTagsForResource
- sqs:GetQueueAttributes
- sqs:ListQueueTags
- ssm:GetParameter
- sts:GetCallerIdentity
Resource: "*"
Expand Down
23 changes: 23 additions & 0 deletions terraform/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions terraform/config.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ resource "aws_config_configuration_recorder" "default" {
recording_group {
all_supported = false

# Related: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
# https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
resource_types = [
"AWS::ApiGateway::RestApi",
"AWS::ApiGateway::Stage",
Expand All @@ -17,7 +17,9 @@ resource "aws_config_configuration_recorder" "default" {
"AWS::CloudWatch::Alarm",
"AWS::Events::EventBus",
"AWS::Events::Rule",
"AWS::SQS::Queue"
"AWS::SQS::Queue",
"AWS::ACM::Certificate",
"AWS::DynamoDB::Table"
]

recording_strategy {
Expand Down
59 changes: 59 additions & 0 deletions terraform/domain-name.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
resource "aws_acm_certificate" "main" {
domain_name = "${var.api_subdomain}.${data.cloudflare_zones.main.zones[0].name}"
validation_method = "DNS"

lifecycle {
create_before_destroy = true
}
}

resource "cloudflare_record" "main_validation" {
for_each = {
for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}

zone_id = data.cloudflare_zones.main.zones[0].id
name = each.value.name
value = each.value.record
type = each.value.type
proxied = false
comment = "terraform; repository:simonknittel/simonknittel.de"
}

resource "aws_acm_certificate_validation" "main" {
certificate_arn = aws_acm_certificate.main.arn
validation_record_fqdns = [
for record in cloudflare_record.main_validation : record.hostname
]
}

resource "aws_api_gateway_domain_name" "main" {
depends_on = [aws_acm_certificate_validation.main]

regional_certificate_arn = aws_acm_certificate.main.arn
domain_name = "${var.api_subdomain}.${data.cloudflare_zones.main.zones[0].name}"
security_policy = "TLS_1_2"

endpoint_configuration {
types = ["REGIONAL"]
}
}

resource "aws_api_gateway_base_path_mapping" "main" {
api_id = aws_api_gateway_rest_api.main.id
stage_name = aws_api_gateway_stage.default.stage_name
domain_name = aws_api_gateway_domain_name.main.domain_name
}

resource "cloudflare_record" "main_cname" {
zone_id = data.cloudflare_zones.main.zones[0].id
name = var.api_subdomain
value = aws_api_gateway_domain_name.main.regional_domain_name
type = "CNAME"
proxied = false
comment = "terraform; repository:simonknittel/simonknittel.de"
}
16 changes: 16 additions & 0 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ terraform {
source = "hashicorp/external"
version = "2.3.2"
}

cloudflare = {
source = "cloudflare/cloudflare"
version = "4.23.0"
}
}
}

Expand All @@ -28,3 +33,14 @@ provider "aws" {
}

data "aws_caller_identity" "current" {}

provider "cloudflare" {
api_token = var.cloudflare_api_token
}

data "cloudflare_zones" "main" {
filter {
name = "simonknittel.de"
lookup_type = "exact"
}
}
Binary file added terraform/modules/api-gateway-sqs-lambda/dist.zip
View file
Binary file not shown.
4 changes: 4 additions & 0 deletions terraform/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ output "api_gateway_url" {
value = aws_api_gateway_stage.default.invoke_url
}

output "api_gateway_custom_domain" {
value = cloudflare_record.main_cname.hostname
}

output "care_bear_shooter_build_url" {
value = aws_cloudfront_distribution.care_bear_shooter_build.domain_name
}
8 changes: 8 additions & 0 deletions terraform/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
variable "cloudflare_api_token" {
type = string
sensitive = true
}

variable "api_subdomain" {
type = string
}

0 comments on commit 1c0d14d

Please sign in to comment.